TimeControl Security Architecture
Security of timesheet data is essential and TimeControl has been designed from the ground up to make sure that your timesheet data is available only to those who should be able to access it. TimeControl can restrict access to data or functions in a more detailed definition than any timesheet system on the market.
The TimeControl design looks at security from several perspectives:
SOC II Certification
HMS successfully passed it's last SOC II Type certification in April 2022. A copy of this certification and additional details are available on demand.
Fundamental to the protection of the system is access to the database itself. TimeControl employs a "gateway" database concept where the user name and password to the gateway database is stored on the server but the password and user name to access the main database are encrypted and known only to the DBA and the TimeControl administrator. This allows the administrator to use the database tools for the selected database to allow or deny access to other applications (such as 3rd party report writers) only to the degree that is appropriate. In the case of TimeControl Online, the database cannot be access from the outside at all. In this case the TimeControl API must be used to enable programmatic access.
Security of the web environment
TimeControl employs a combination of .Net encrypted security and our own HMS™ encrypted security to manage the movement of data between the web client and the server. Even the password access can be protected through TimeControl's support of SSL on the login page. This makes every element of timesheet transactions highly secure.
TimeControl employs a highly effective encryption method to store passwords. TimeControl can also integrate with LDAP protocols such as Microsoft's Active Directory to support password complexity and where frequency of password change are enforced.
Access to TimeControl functions
TimeControl's User Profiles allow a highly granular level of security to be employed. Profiles control what menu items and functions are available. Some users can be given access to some features, and others to other features. User Profiles can also determine how some features will appear. The dashboard can be disabled, left open to change by end-users or forced to a particular definition. The start/stop times in the timesheet can be made a single start/stop time, multiple start stop time or turned off altogether. An unlimited number of user profiles can be defined and then assigned to users.
Report, Data and Field level security within the application
User Profiles also control what data tables, reports and even screen fields are displayed. Fields can be read/write, Read-only, View label-only, or Invisible. Different aspects of TimeControl can have different data restrictions. A supervisor might be given access to some fields in the employee table but only for those employees they manage. User profiles can makes reports might be available to certain users but only the data to which they have access will be displayed.